Field of the Invention
The present invention relates generally to managing access to data and, more specifically, managing access to decentrally stored data through the use of references.
Description of Related Art
Healthcare is becoming increasingly complex, with an rising elderly population, increasingly complex diseases and treatments, and a corresponding increase of specialized clinics and physicians. As a result, patients are becoming increasingly mobile, and there is an increasing need for mechanisms to exchange medical information between physicians in different organizations in an efficient way.
Various attempts have been made over the last decade, particularly in Europe, to construct national-scale infrastructures for exchanging electronic medical records between physicians. Security and privacy remain a challenge in all of these systems. Most of the risks in existing systems arise from the large scale and centralized architecture of these (pull-based) systems.
Pull-based systems, as used herein, means that a physician can “pull” information about a patient from another physician's system (or from another system in general). A characteristic of pull-based systems is that, typically, the person who “pulls” the information is not a priori known or, if known, the system is unaware of the particular person that retrieves the information. Information is provided automatically by the system, without the doctor responsible for this record being aware of the retrieval at the time this happens. Pull-based approaches to exchange medical information are useful because, at the time of access, the most up-to-date information is obtained. For example, if a patient is referred to a specialist, a general practitioner (GP) can send a message containing a breakdown of the most relevant information about the patient to that specialist. However, it is conceivable that further relevant information which is not known at the time of making the referral (e.g., a lab result which is due to return) will be integrated in the referring GP's system after constructing the referral message. The specialist sees the referral message, but not the relevant updates. If a pointer to a record (containing the referral message, possibly as typed in by the GP and/or in part automatically ‘extracted’ by the GP's own system from patient data stored in that system) is passed to the specialist instead, or if this information can be pulled in some other way, updates will be visible at the time that the patient is with the specialist (which may be some days or even weeks after the referral letter was sent out). This motivates the use of pull-based access instead of “push” based information exchange. Push information exchange is typically implemented by sending a static message to another doctor. This proposal can pose a middle ground between push-based information exchange, which has the advantage that the information is passed to a specific healthcare professional or organization in a controlled way, and pull-based access, which ensures that access is provided to the most up to date information as present in the sender's system.
A centralized architecture may be understandable from the point of view of efficiency, control, the ability to manage access in a relatively simple way, and the ease of use from the clinical perspective in mind. However, a centralized infrastructure comes with various inherent security and privacy risks.
Efforts to (partially) centralize access to medical records continue to have disadvantages. For example, in the Dutch Electronic Patient Dossier (EPD) system, records remain under control of physicians in their own systems. Read-only access to patient records is provided through a central switching point, which contains a reference index per patient, where each reference points to a decentrally stored record of the patient. The system implements Role-Based Access Control (RBAC). Physicians or their employees can sign requests using a personal smartcard backed by a government Public Key Infrastructure (PKI). Certificates issued by a government-backed Certificate Authority (CA) indicate the profession/specialization and the name of the invoking healthcare professional, and this information is used by the switching point to make central access control decisions.
A security breach of the central switching point can lead to retrieval of any patient record in the system, since signatures over requests are not forwarded to the endpoints where the records are requested from. And even if these would be forwarded, an attacker with a (stolen, with PIN code) physician smartcard can obtain many records by sending requests to the endpoints where the patient records reside. Furthermore, a breach or other failure of the central switching point can lead to records becoming completely unavailable. The ‘trust model’ of the system thus depends crucially on reliability and operational security of the central switching point. Further, the indices and log files in the central infrastructure contain information about all treatment relationships of a patient. From this data, much can be derived about a patient's medical history, even when the information itself cannot be retrieved. The mere fact that a patient has a record at an oncological center or that a doctor at a rehab clinic looked at a record (as visible in the logs), leaks information about a patient. Such information should not be accessible for longer than necessary, and need not necessarily be centrally registered or accessible at all.
Additionally, requesting physicians are not known by the switching point (or the endpoint where the record resides) to have a ‘treatment relation’ with the patient, i.e., to be authorized by the patient. This means that, from a technical perspective, any physician with a valid certificate (with acceptable attributes, from the perspective of RBAC) can request information about any patient. Effectively, the Dutch EPD system relies on self-authorization of physicians; the switching point cannot verify whether a physician is authorized by the patient whose record is retrieved. This makes the system vulnerable to attacks using stolen smartcards (with PIN codes).
There also exists a delegation system in the Dutch EPD system, where an employee can claim to work for a physician, or change a table in the system to make it appear as if working for a physician, and request information on behalf of a physician in the same organization. When large organizations are attached to the switching point, it becomes evident that delegation of authority to access the EPD system to employees, makes the system even more vulnerable to misuse or theft of employee smartcards (with PIN code) or to intrusions in the attached systems. These aspects make the system (including all source systems that provide access to patient records via the system) dependent on the (operational) security and trustworthiness of thousands of systems connected to the central switching point, including the users and administrators of these systems. The impact of a possible intrusion can be very large due to the scale of the system, containing information about almost any person in a country and allowing information about most persons to be retrievable from any system in the country that is attached to the switching point. Role-based access control (RBAC) alone, as applied currently in the EPD and many other pull-based systems, will not help much to limit the impact of an intrusion, as basic information will usually be accessible from any RBAC-defined role. In particular, medication (prescriptions, pharmacist records) information is probably visible to most or all doctors. Some legal safeguards are proposed, but these will not deter all misuse at the scale of the EPD. The ‘attack surface’ is simply very large.
Not all systems have centralized switching points as the Dutch system does. Some have centralized ‘indices’ (which are usually protected using some form of RBAC based on some PKI or [distributed] identity management system), while the eventual requests for information are sent point-to-point (i.e., directly from client to server; the server is found in the index). Various architectural approaches exists. However, most if not all depend on a centralized (external) database which contains a list of references to records. These references are tied to the central system, as is (usually) access control, and access control is usually role based. The indices can be managed at various scales, from within a hospital (to couple systems in different departments or wards), within a small region consisting of various healthcare organizations (or possibly with different locations run by one organization), up to National scale. All of these approaches are vulnerable to attack on or failure of the centralized ‘index’ from an availability as well as a security (confidentiality, integrity) perspective. Furthermore, access control is generally not fine-grained (authorization is not specific) and patients have few options but to say “yes” or “no” to sharing information through such a system.
Current approaches like those proposed by IHE (Integrating Health Enterprises) for cross-enterprise document sharing, or by the Dutch government, essentially create a virtual database with a central index and/or a centralized access point, where role-based access control (RBAC) is used to determine whether some physician is allowed to access a record. However, such approaches are not able to verify that the physician is actually involved with treating the patient, nor do they in general provide a means for patients to verify or assess this in advance. This makes these approaches, particularly if applied at a large scale with many client systems and doctors or employees who can access the system, vulnerable to malicious or accidental attacks or incidents. It is debatable whether this can be regarded as ‘adequate protection’ of medical records—adequate security measurements are a requirement in Europe, for example, and also the European Court of Human Rights. One case decided by the European Court of Human Rights has indicated that, for example, hospitals must take appropriate measurements to prevent unauthorized personnel that is not (directly) involved with treatment from accessing records. It seems that current cross-enterprise/cross-organizational data sharing systems like those of the Dutch government (which have an even larger number of users) or IHE cannot meet this requirement.
Whether or not a central database is used, or a centralized ‘reference index’ combined with a centralized access (and access control) point (a central reference monitor), does not change or influence the risks caused by too many people having a role (function) that gives, in principle, access to medical information as is the case in a system with RBAC. The only way to reduce risk is to introduce proper authorization structures in the system, where physicians do not get access except when explicitly authorized. A conceivable middle ground is where a full ward or hospital (or organization, in general) is authorized, where this organization is responsible for internal authorization. However, this limits the ‘attack surface’ in that records can be accessed only from that explicitly authorized organization. Alternatively, a physician (or group or physicians) can be authorized, who can sign delegation certificates for employees to explicitly delegate authorization—assuming a public key cryptography based infrastructure. Requiring prior explicit authorization before granting access to records is feasible, although possibly there are situations where information (typically of a particular type only) should be available also without prior authorization (e.g., in emergencies). Thus, based on circumstances and a policy set for a given record (type), special approaches that use weaker authorization structures for particular records are conceivable.
Another aspect of risk is not so much the number of people who can potentially access patient information, or the number of systems from which patient information may be retrieved, but the mere existence of a central access point. If an intrusion (possibly from the inside) takes place in such a central facility, it may be possible to retrieve any record from the system without anyone noticing. Another vulnerability is that a central core component can become a single point of failure—both in the sense of availability but also in the sense of security.
When using decentralized access control (i.e., where the source system/server implements authentication of clients) in combination with a central reference index which is broadly accessible or which may be compromised—this approach is taken in some IHE standard-based systems—, risks exist too since the mere fact that some person has seen a specific doctor—think of a psychiatrist, a gynecologist, a doctor at a rehab clinic or a pharmacist next door of a rehab clinic, or an oncologist—can give away a lot of information about the patient, and can make the patient vulnerable to, for example, blackmail. So in general, it is also a good idea to avoid central reference indices if possible, even if the information itself is retrieved using a secure end-to-end mechanism.
Thus, there is a need for a decentralized approach to access to data, such as medical records, where patients and/or their physicians can control the disclosure of medical data.